Brksec 2445

The Art of ISE Posture, Configuration
and Troubleshooting
Andrea Bertorello, Security Consulting Engineer
linkedin.com/in/andrea-bertorello/
BRKSEC-2445
Abstract
Endpoint Security is a pillar of all the organisations and the trend is the
increase for endpoint security and compliance of the endpoints connected
the organization networks. ISE together with Cisco Secure Client and ISE
posture module, is capable of verifying and remediating a vast suite of
criteria before an endpoint is allowed to the network access. Now with the
upcoming ISE 3.2 there will be multiple ISE posture possible flows and a new
Posture Script Conditions. With this session you will be able to understand
the different possible posture flows and extend the posture coverage to new
endpoints earlier not covered, together with some real case scenarios and
most common issues that can affect your implementation, but can be solved
handily.
BRKSEC-2445 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
About me
• AAA TAC Engineer
• ThousandEyes Support Engineer
• Security Consulting Engineer
Warning!
Italian accent ahead
Icon Used Throught the Presentation
For your Reference – these items could not be covered in detail

during the session.
New New Feature – new features introduced in ISE 3.2
Waring – Extra attention during the configuration
Hidden Content – slides which won’t be presented durith the

session. Those slides are here to give you later more context
and detailed information
Cisco Webex App
Questions?
Use Cisco Webex App to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install the Webex App or go directly to the Webex space Enter your personal notes here
4 Enter messages/questions in the Webex space
Webex spaces will be moderated

until February 24, 2023.
MTS – Meet the Speaker – Area 2
Let’s continue the discussion/Q&A
Tuesday, Feb 7 12:20 -12:50 PM
• Introduction to DEMO company
• ISE Posture from 10000 meters
Agenda • ISE Posture Journey
• Implementation and Troubleshooting
Session Objectives
Session will cover: Session will not cover:
• Theory of Posture • Marketing

• Posture configuration focused on • Roadmaps
agent deployment • All possible Posture feature and
• Troubleshoot methodology for some configuration
kind of agents
Vigilance on what is on your network
is just as important as who is on the
network. Therefore, posture is so
important.
Based on a True
Story
Introduction to our scenario
How to attain and maintain endpoint compliance as per the organization’s
security policy ?
Diana
Amsterdam HQ
ISE Posture - Theory
ISE Posture from 10000 feet
ISE
AnyConnect ISE
Endpoints/Agents Policy Enforcement Decision Making
Foundation
Remediation Servers Admin Posture Updates

Posture Lifecycle
Step 0 Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Manual Authentication Client Posture Remediation Final

CoA
Installation Provisioning Time Authentication
ISE
Remediation Servers
Posture Lifecycle - Detailed
Endpoint Network Access Device ISE
Authentication/Authorization, Access-Accept with Redirect ACL and URL
Client opens a Authorization

Policy Selection
web page Client is Redirected to ISE
Only in Redirect based flow
SSL connection to Redirect URL port 8443

Connection is protected by Portal Certificate User downloads Network Setup Assistant
Session lookup.
Client Provisioning
Network Setup Assistant Discovers ISE policy selection
AnyConnect Agent Download and installation
AnyConnect Discovers ISE Session lookup.

Posture policy
Compliance Check selection
SSL Exchange on port 8905/8443
CoA-Request, CoA-Ack Authorization

Policy Selection
Authentication/Authorization, Access-Accept
Posture and Cisco COA types
Two main CoA types:
▪ COA Reauth – this type of COA is used for Wired and Warless NADs, as a result of successful
COA NAD will initiate full authentication process.
▪ COA Push – this type of COA are used by ASA for posture over VPN use-case. At time of
posture over VPN re-authentication is impossible as it will cause disconnect for end user.
Because of this COA Push
contain new authorization attributes. This allows NAD to apply new access-level straight away
without user disconnect.
ISE Posture Flow types
Redirect based Non-redirect based
ISE Posture Flow types - comparison
Redirect Non-Redirect
Initial Authentication
or Authorization Redirect ACL and URL ACL/VLAN
Client Provisioning
Portal
PSN Discovery Probes

Call-Home
Supported Network No redirection

Access Devices support
Redirect best practices Wired
When client initiate http session NAD is intercepting and returning url-redirect
as new page location
▪ http server – enabled, default port 80 should be used except situation

when proxy is involved
▪ IPDT – enabled, IP device tracking is critical component for applying ACLs,
(required for multi-domain and maulti-auth)
▪ SVI in client subnet - otherwise traffic flow between client and switch
need to be planned very carefully
▪ DACL and redirect ACL – tricky question, will be covered on next slide
separately
Redirect best practices Wireless
▪ AAA override enabled – this will allow WLC to apply Redirect ACL and
Redirect URL to client
▪ NAC=Radius NAC/ISE – without this option COA won’t be supported for
WLAN, and this will prevent applying of redirect attributes
▪ Redirect ACL/Airspace ACL – the same recommendation as for switches.
Protection provided by redirect ACL is enough
ISE Posture Journey
ISE Posture Journey
Posture Updates Posture

Policies
Global Settings Access Policy
Client Provisioning Go Live
ISE Posture Journey: Posture Updates
Posture Updates
Posture Updates
Posture Updates Proxy Settings
ISE
Deleted default posture elements are not created again during next updates
Posture Updates
Posture Updates
Online Updates: Posture updates include a set of predefined checks, rules,

and support charts for antivirus and antispyware for both Windows and
Macintosh operating systems, and operating systems information that are
supported by Cisco.
Offline Updates: You can also update Cisco ISE offline from a file on your local
system, which contains the latest archives of updates.
ISE Posture Journey: Global Settings
Posture Updates
Global Settings
Global Settings
Global Settings
Time for the user

to remediate
What if client
does not support
posutre ?
Global Settings
Global Settings
Posture Lease
Cisco ISE will use the last

known posture state and will
not reach out to the endpoint
to check for compliance.
Agentless Plugin
Endpoint Posture Attributes – Posture Lease
Posture lease is a feature which allows ISE to store endpoint posture status (Compliant) for
up to 365 day
When endpoint is in Posture lease ISE assigns authorization policy with ‘Compliant’ status
right-away
AnyConnect is NOT aware about the lease. To display proper posture status PSN discovery
is performed. This discovery is example of valid cases when redirection does no happen in
Redirect-Based environment.
Endpoint Session Attributes – Posture Status
Initial posture state of the session determined according to below diagram
Session moved from

Unknown state to:
Does endpoint Yes
have valid
Posture lease?
Yes
Compliant
Authentication No
Request from
NAD
Is this a new
session ID?
OR
Non-Compliant
No
Unknown Compliant
After PSN processes

What is the
Session Posture
Unknown
posture report from
Status?
endpoint
Compliant
ISE Posture Journey: Client Provisioning
Posture Updates
Global Settings
Client Provisioning
Client Provisioning
ISE Posture: Agent types
Agentless
AnyConnect
ISE
Temporal Agent
AnyConnect Stealth
Client Provisioning
Posture Agents – Agent
ISE
Client Provisioning
Posture Agents – Agent
Posture Lease
Conditions
Periodic Reassessments (PRA)
Grace Period
Deployed by ISE or VPN head-
end
Manual Remediation
Client Provisioning
Posture Agents – Agent Stealth
ISE
Background Service
No user interaction
Limited Remediations
Anyconnect
Deployed by ISE or VPN head-
end
Client Provisioning
Posture Agents – Temporal Agent
Contractors
John
ISE
Guest
Bob
Agent Removed
Client Provisioning
Posture Agents – Temporal Agent

The Temporal Agent does not support the following conditions:
• Service Condition MAC—System Daemon check

• Service Condition-MAC—Daemon or User Agent check
• PM—Up To Date check
• PM—Enabled check
• DE—Encryption check
VLAN Controlled Posture
Temporal Agent does not support VLAN-controlled posture for macOS.
Recognizing the new IP address requires root privileges, but the Temporal Agent runs as
a user process.
Client Provisioning
Agentless posture
Windows macOS
PowerShell Shell (.sh)
5.1 > >_ SSH
Port 5985 Port 22
cURL 7.34 > cURL 7.34 >
Client Provisioning
Posture Agentless
Client NAD ISE
ISE
Endpoint Probing
PowerShell PowerShell
Shell (.sh) Shell (.sh)
>_ >_
Script push
Client Provisioning
Posture Agentless
Client NAD ISE
Script execution
PowerShell
Shell (.sh)
ISE
>_
ISE Admin cert
Requirement List
Client Provisioning
Which Posture Agent to choose
Client Provisioning
Which agent you need ?

Temporal
AnyConnect AC Stealth Agentless
Agent
Visibility
Time to
implement
More
Protection
Specific
OS, Remediation, Reassessment, Checks
Capability
✅ Supported Client Provisioning
Posture Deployment Options ❗ Limitations
❌ Not Supported
Capability AnyConnect AC Stealth Temporal Agentless
Anti-Malware Checks ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅
Firewall Installation Checks ✅ ✅ ❌ ✅ ✅ ✅ ✅ ✅ ✅
Application Inventory ✅ ✅ ❌ ✅ ✅ ✅ ✅ ✅ ✅
Hardware Inventory ✅ ✅ ❌ ✅ ✅ ✅ ✅ ✅ ✅
Process Checks ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅
Dictionary Conditions ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅
Application Checks ✅ ✅ ❌ ✅ ✅ ✅ ✅ ✅ ✅
File Checks ✅ ✅ ❗ ✅ ✅ ✅ ✅ ❗ ✅
Service Checks ✅ ✅ ❌ ✅ ✅ ✅ ❗ ✅ ❗
Disk Encryption ✅ ✅ ❌ ✅ ✅ ❗ ❗ ❗ ❗
Patch Management ✅ ✅ ❗ ✅ ✅ ❗ ❗ ❗ ❗
Registry Checks ✅ N/A N/A ✅ N/A ✅ N/A ❗ N/A
USB Checks ✅ ❌ ❌ ✅ ❌ ✅ ❌ ✅ ❌
WSUS remediation (legacy) ✅ N/A N/A ✅ N/A ❌ ❌ ❌ ❌
Auto,
Remediation Manual Partial Partial Part Auto Partial Text Text ❌ ❌
Reassessment ✅ ✅ ✅ ✅ ✅ ❌ ❌ ❌ ❌
Client Provisioning
Client Provisioning
Resources AnyConnect Profile Client Provisioning Policy
Some agents must be

downloaded from Cisco
Software Center and
uploaded manually
Client Provisioning
Client Provisioning
How agent checks endpoint armor?
Compliance Module - Offers the ability to assess an endpoint’s compliance.
OPSWAT - Cisco Compliance module is using OESIS framework from

OPSWAT for detection and remediation
https://www.slideshare.net/OPSWAT/introduction-to-oesis-framework
Posture Updates – Include predefined chceks, rules, support charts and

latest definition versions.
Client Provisioning
Client Provisioning
Client Provisioning
Client Provisioning
Client Provisioning
Client Provisioning
Client Provisioning
Client Provisioning
Configuration Name
Compliance Module
Modules
Profile AC
In case of posture over VPN AC cannot be

updated if ISE has higher AC pkg version then
ASA
Client Provisioning
Client Provisioning
Specify the
AnyConnect
Agent
Configuration
Portal settings adjustment
▪ Guest Portal – posture can be executed as part of the Guest-Flow. This can be done on ‘Self-
Registered’ and ‘Sponsored’ guest portals.
Hot-Spot’ portal is not supported for posture.
Posture inside of the Guest-Flow facts:
▪ Only one check box needs to be enabled in portal settings,

▪ Only Temporary Agent is supported in client provisioning
▪ Do not use VLAN change in the authorization profiles for Guests (like authorization profile with redirect
has VLAN 10, and compliant authorization profile has VLAN 20) since when MAB is used endpoint
cannot detect VLAN change,
Enable posture on the guest portal
Navigate to Work Centers > Guest Access > Portal & Components > Guest Portals
Open portal on which you would like to enable posture and navigate to section ‘Guest Device Compliance
Settings’. After posture is enabled two additional components are added to the portal ‘block diagram’ on the
right
Client Provisioning
Posture Agents – our choice

Small branch
Employees Stealth Agent
PowerShell
Agentless
Agent based Contractors Temporal Agent Fallback
ISE Posture Journey: Configuration
Posture Updates Posture Policies
Global Settings
Client Provisioning
Posture Policies
ISE Posture Checks Anti-Malware

Anti-Spyware
Condition + Remediation Requirement Anti-Virus
Application
Compound
Dictionary Compound
Dictionary Simple
Conditions Disk Encryption
External DataSource
ISE File
Firewall
Hardware Attributes
Patch Management
Registry
Script
Service
USB
Remediation
Posture Policies
ISE Posture Policy

Policy Elements Policy Sets
Endpoint Posture Attributes – Grace Period
Grace period feature allows endpoint to get a ‘Compliant’ network access when it become
Non-Compliant after being compliant in the past
Functionality is based on two attributes:
PostureLastCompliantExpiry – attribute has a Unix Epoch format. Grace period starts if

posture status got changed to non-compliant within Last Known Posture Compliant State
Remaining Grace Period * - stored in oracle config DB table in special table. ISE starts
populating LAST_GRACE_EXPIRY after endpoint has been marked as non-compliant while
being within Last Known Posture Compliant State
* - While Grace Period feature itself has been added in 2.4 we started to store Remaining Grace Period in Oracle DB
starting from 2.6. In 2.4 Remaining Grace Period stored in special In-Memory cache.
Posture Policies
Posture Conditions – Our requirements
Anti-Malware
Employee
Contractors External Data Source
Win10 latest patch

PowerShell
Small branch
Firewall Enabled
Posture Policies
The last minute request
“Does the endpoint has necessary

corporate CA certs installed ?”
Posture Policies
Posture Script Condition

New
Dynamic requirements
Response
Are all corporate CA certs and
no rogue CA certs installed ? ISE
[…]
Has the user over-written .ps1 .sh Script Push

network configuration to
use specific DNS ?
Posture Policies
Posture Script Condition – Prerequisites New
ISE
Establish trust
Local Machine Store
PSN
AnyConnectLocalPolicy.xml SHA-256
Posture Policies
Posture Script Condition – Prerequisites

New
openssl x509 -in 535-pos.crt -fingerprint -noout -
sha256 SHA256
Fingerprint=B9:42:7F:85:09:18:30:40:06:0B:DB:9C:48:36:F0:60:90:75:A
B:D3:E9:83:AB:1A:BF:01:8F:6E:F0:11:9A:B5
<TrustedISECertFingerprints>
<fingerprint>
<algorithm>SHA-256</algorithm>
<hash>30:5D:A8:0E:3B:36:6C:3A:04:0C:DF:66:D0:3
B:9B:DE:94:B8:87:ED:17:5F:B7:A4:94:BF:3A:29:A5:7B:35:D0</hash>
</fingerprint>
</TrustedISECertFingerprints>
Posture Policies
Posture Script Condition - Configuration
Exit code Fail - Other than 0

Pass- < 0 Pass
Bypass AllSigned None
Admin vs Logged-in User

Folder
Posture Policies
Posture script condition – Script Dowload

New
.ps1 .sh
ISE
Elevated privileges
%ALLUSERPROFILE%\Cisco\Cisco
%LOCALAPPDATA%\Cisco\Cisco
Anyconnect Secure Mobility Client\ISE
Anyconnect Secure Mobility Client\scripts
Posture\scripts
~/.cisco/iseposture/scripts /opt/cisco/anyconnect/iseposture/scripts
Download the
script
Script file hash
Filename match
match
Reuse the
existing script
Posture Policies
Posture script condition – Exit Code
ISE
Exit code
Other failure possibilities:
<0 : pre-defined exit code

Script exit code must be
between 0 and 255
>0 : user-defined exit code
Posture Policies
Posture Script Exit Codes
Exit Code Reason
0 Script execution was successful and exited with success
>0 Script execution was successful however, exit code returned the failure code
-1 Script execution check wasn’t attempted
-2 Data integrity failed
-3 Error in Script download
-4 Script has verification failed
-5 Script executed, however, Script execution didn’t complete within specified timeout
-6 Generic failure (not covered as part any failures)
-7 Script type is not supported
-8 Script failed to launch
-9 ISE certificate is not trusted
Remember: in case script exit code is out of bound then it is set to 255
ISE Posture Journey: Access Policy

Policies
Client Provisioning
Access Policy
Access Policies – Redirect Chaining

We need to redirect our clients to the Client Provisioning Portal, provide
access or deny it.
Compliant
NonCompliant
Unknown
Must exists on NAD

ISE Posture Journey: Time to Go Live

Policies
Client Provisioning Go Live
Implementation
and
Troubleshooting
together
DEMO Implementation
Diana
.sh
Anti-Malware .ps1
Employee
Script for CA
Contractors External Data Source
Win10 latest patch

PowerShell
Small branch
Firewall Enabled
Employee – Agent based
Agent Posture – Employee Client Provisioning
AC Posture Profile
Posture Updates
AC Package + cisco.com
Compliance Module
Client Provisioning
AD: Agent_Posture
Agent Posture – Employee Posture Configuration
Posture Condition
.ps1 .sh
Agent Posture – Employee Posture Configurationç
Posture Remediation Warning with explanation
Posture Requirements
Posture Policy
Agent Posture: Final Step
AD: Agent Posture
Time to test
Script Troubleshoot
1. Prerequisites check
Script Troubleshoot
Script Troubleshoot
Script Troubleshoot
Script Troubleshoot
2. Check script failure report
Script Troubleshoot
Condition Script was executed, and the script exited with

failure code 1
Script Troubleshoot
3. Check if the script is downloaded correctly
Script Troubleshoot
3. Check if the script is downloaded correctly
Script Troubleshoot
4. Manually run the script on the endpoint
Running script is disabled on

this system
this system
Script Troubleshoot
4. Manually run the script on the endpoint

this system
5. Make sure exit code is correct

6. Results
Troubleshoot Posture by ISE logs - iseLocalStore
By default for 1 day each ISE node stores all syslog messages of certain logging categories locally:
CLI:
ise32/admin#show logging application | include iseLocal

573509 Jan 24 2023 09:57:54 localStore/iseLocalStore.log
1362872 Jan 23 2023 23:59:55 localStore/iseLocalStore.log.2023-01-23-00-00-00-736
Troubleshoot Posture by ISE logs– iseLocalStore
To include iseLocalStore in your support bundle remember to check the checkbox:
Important message codes from iseLocalStore
80002 INFO Profiler: Profiler EndPoint profiling event occurred
5205 NOTICE Dynamic-Authorization: Dynamic Authorization succeeded
3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update
3000 NOTICE Radius-Accounting: RADIUS Accounting start request
What we have on ISE for posture - PrRT
Logs: prrt-server.log with runtime-aaa in DEBUG
Search Keys for all radius packets for a specific endpoint.

CallingStationID=F0:78:07:11:11:17.*RADIUS PACKET.*Code=
CallingStationID=F0:78:07:11:11:17.*RADIUS PACKET.*Code=
Example: we have a posture COA failure and would like to see more details in the logs (VPN example):
ade # cat prrt-server.log | grep -a 'CallingStationID=10.61.238.240.*RADIUS PACKET.*Code='
Radius,2022-10-23 12:22:40,492,DEBUG,0x7f496a3e6700,cntx=0027628155,sesn=skuchere-ise26-1/384213726/11919,CallingStationID=10.61.238.240,RADIUS PACKET::
Code=1(AccessRequest) Identifier=79 Length=673
Radius,2022-10-23 12:22:44,122,DEBUG,0x7f496a2e5700,cntx=0027628155,sesn=skuchere-ise26-
1/384213726/11919,CPMSessionID=c0a81c010073e0005f92af8b,user=bob@example.com,CallingStationID=10.61.238.240,RADIUS PACKET:: Code=2(AccessAccept)
Identifier=79 Length=471
1/384213726/11921,CPMSessionID=c0a81c010073e0005f92af8b,CallingStationID=10.61.238.240,RADIUS PACKET:: Code=4(AccountingRequest) Identifier=81 Length=728
1/384213726/11921,CPMSessionID=c0a81c010073e0005f92af8b,user=bob@example.com,CallingStationID=10.61.238.240,RADIUS PACKET:: Code=5(AccountingResponse)
Identifier=81 Length=20,RADIUSHandler.cpp:2214
RadiusClient,2022-10-23 12:23:03,481,DEBUG,0x7f495e92c700,cntx=0027628350,sesn=1a8cd632-9b18-4076-af60-3eef7af79cb4,CallingStationID=10.61.238.240, RADIUS
PACKET: Code=43 (CoARequest) Identifier=25 Length=205
RadiusClient,2022-10-23 12:23:03,485,DEBUG,0x7f496a1e4700,cntx=0027628350,sesn=1a8cd632-9b18-4076-af60-3eef7af79cb4,CallingStationID=10.61.238.240, RADIUS
PACKET: Code=44 (CoAACK) Identifier=25 Length=20,RadiusClientHandler.cpp:49
What we have on ISE for posture - Policy
Authorization policy troubleshooting:
Component in DEBUG mode:

epm-pip
epm-pdp
Debugs are saved into ise-psc,

Example to troubleshoot posture status
ade # cat ise-psc.log | grep -a '.pip.*PostureStatus’
2022-10-23 12:22:44,066 DEBUG [Thread-253][] cisco.cpm.posture.pip.PostureStatusPIP -::::- PostureStatusPIP for mac 00-0C-29-A6-39-
CD - Attribute Session.PostureStatus value is Unknown
2022-10-23 12:52:31,559 DEBUG [Thread-616][] cisco.cpm.posture.pip.PostureStatusPIP -::::- fast reconnect is enabled
2022-10-23 12:52:31,590 DEBUG [Thread-616][] cisco.cpm.posture.pip.PostureStatusPIP -::::- the posture expiry value is null
2022-10-23 12:52:31,590 DEBUG [Thread-616][] cisco.cpm.posture.pip.PostureStatusPIP -::::- PostureStatusPIP for mac 00-0C-29-A6-39-
CD - Attribute Session.PostureStatus value is Unknown
What we have on ISE for posture - Provisioning
Client Provisioning Troubleshooting
Component in DEBUG mode

client-webapp
provisioning
Target files are ise-psc and guest.log (here specifically we see agent exchanges with ISE):
ade # cat guest.log | grep -C 10 -a ‘2022-10-23 12:52.*192.168.253.11’
Use EP MAC or IP as a search key, add data/time to focus on specific posture attempt.
Start from
2022-10-23 12:52:44,750 DEBUG [https-jsse-nio-192.168.43.26-8443-exec-2][]

cisco.cpm.client.posture.PostureStatusServlet -::- Got http request from 192.168.253.11 user agent
is: Mozilla/4.0 (compatible; WINDOWS; 1.2.1.10.0.48; AnyConnect Posture Agent v.4.9.01095)
And follow the logs
What we have on ISE for posture - Posture
If you need to debug posture events
Component in DEBUG: posture
Target file is ise-psc
cat ise-psc.log | grep -a ‘2022-10-23 12:52:.*posture.runtime.PostureHandlerImpl.*receiving request

from client.*00:0C:29:A6:39:D7\|2022-10-23 12:52:.*https-jsse-nio.*Sending response to endpoint.*
00-0C-29-A6-39-CD'
It’s better to use data/time in a search to narrow down search results to specific posture attempt. To
investigate entire flow start from very first - receiving request from client message and follow the logs.
2022-10-23 12:52:52,526 DEBUG [https-jsse-nio-192.168.43.26-8443-exec-8][] cisco.cpm.posture.runtime.PostureHandlerImpl -::::- receiving request from client
497be29bbe8a693617ccb60b539b451d3c6a5028 192.168.253.11
00:0C:29:A6:39:D7,00:0C:29:A6:39:D7,00:0C:29:A6:39:D7,00:0C:29:A6:39:D7,00:0C:29:A6:39:D7,00:0C:29:A6:39:D7,00:0C:29:A6:39:D7,00:0C:29:A6:39:D7,00:0C:29:A6:39:C
D,00:0C:29:A6:39:CD,02:00:4C:4F:4F:50,02:00:4C:4F:4F:50,8C:85:90:7A:E5:57,8C:85:90:7A:E5:57
192.168.253.11,fe80::cee4:5f40:58e3:b231,fe80::6591:5a94:e697:26b0,169.254.170.158,fe80::b8d4:3f6f:bc0a:aa9e,2001:99::10,2001:78::10,2001:64::10,172.16.231.140,fe8
0::989c:608c:5da0:d0f3,169.254.144.137,fe80::35f9:85df:8f4e:9089,169.254.68.191,fe80::a8d8:3cfd:41d6:44bf w13vkpoq
2022-10-23 12:52:52,618 DEBUG [https-jsse-nio-192.168.43.26-8443-exec-8][] cisco.cpm.posture.runtime.PostureHandlerImpl -:bob@example.com:::- Sending response to
endpoint 00-0C-29-A6-39-CD http response [[ 
Contractors – Agent
Stealth
Contractor: External Data Source – AD
UDID Compliant Status
Agent Stealth - Contractors
Client Provisioning AD: Agent Stealth
Condition
Device ID
Attribute
Small Branch – Agentless
based
Agentless: Small Branch
Client Provisioning
AD: Agentless Posture Users
Condition and Requirements
Agentless: Failure Flow
Session-AgentlessFlowStatus
Agentless: Failure Flow
Agentless: Failure Flow #2
Client Provisioning for the failure flow
Access policy to redirect user to CPP
Agentless Posture: Policy
Agentless: Troubleshooting, our tools
ISE
Authentication Flow Verification Client Provisioning Verification
Posture Report
ISE posture related debugs
ise-psc.log
▪ Processing of initial and final posture report Search Keys
One from list (order defines priority):

▪ Posture policy selection
▪ Session ID, EP MAC, EP IP,
▪ PRA operations
Combined with
Debug to ▪ cisco.cpm.posture.runtime
posture
enable
guest.log
▪ Session lookup process when Discovery probe has
Search Keys
reached PSN without redirect
One from list (order defines priority):
▪ Client provisioning policy selection
▪ EP MAC, Endpoint IP, username
Debug to client- Combined with

provisioning guestaccess
enable webapp
▪ cisco.cpm.client.posture
Agentless: Common issues #1
Endpoint not Reacheable
Port 5985
Firewall ACL/DACL
Agentless: common issues #2
Ips are unreacheable
HTTP 401
HTTP 401
Implementation caveats recap
Client provisioning per user group Policy Authorization per user group
AD: group 1
Authorization Temporal
Policy
AD: group 2
ISE Agentless
AD: group 1 Non-Compliant
Agent
Key Takeaways
Time Protection
Requirements and Remediations
Visibility
Vigilance on what is on your network
is just as important as who is on the
network. Therefore, posture is so
important.
Continue Your Education
Visit the Cisco Showcase for related demos.
Book your one-on-one Meet the Engineer meeting.
Attend any of the related sessions at the DevNet,

Capture the Flag, and Walk-in Labs zones.
Visit the On-Demand Library for more sessions

at ciscolive.com/on-demand.
Complete your Session Survey
• Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (open from Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events Mobile App or
by logging in to the Session Catalog and clicking the
"Attendee Dashboard” at
https://www.ciscolive.com/emea/learn/sessions/session-
catalog.html
MTS – Meet the Speaker – Area 2
Let’s continue the discussion/Q&A
Tuesday, Feb 7 12:20 -12:50 PM
Next action
New Posture script condition
Task for you: Test it in your lab !
Thank you

Brksec 2445

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brksec 2445

Uploaded by

Copyright:

Available Formats

The Art of ISE Posture, Configuration

• ThousandEyes Support Engineer

• Security Consulting Engineer

For your Reference – these items could not be covered in detail

New New Feature – new features introduced in ISE 3.2

Waring – Extra attention during the configuration

Hidden Content – slides which won’t be presented durith the

4 Enter messages/questions in the Webex space

Webex spaces will be moderated

• Theory of Posture • Marketing

Endpoints/Agents Policy Enforcement Decision Making

Remediation Servers Admin Posture Updates

Manual Authentication Client Posture Remediation Final

Authentication/Authorization, Access-Accept with Redirect ACL and URL

Client opens a Authorization

SSL connection to Redirect URL port 8443

AnyConnect Discovers ISE Session lookup.

CoA-Request, CoA-Ack Authorization

PSN Discovery Probes

Supported Network No redirection

▪ http server – enabled, default port 80 should be used except situation

Posture Updates Posture

Posture Updates Proxy Settings

Online Updates: Posture updates include a set of predefined checks, rules,

Time for the user

Cisco ISE will use the last

Session moved from

After PSN processes

ISE Posture: Agent types

Posture Agents – Agent

Posture Agents – Agent

Posture Agents – Agent Stealth

Posture Agents – Temporal Agent

Posture Agents – Temporal Agent

• Service Condition MAC—System Daemon check

VLAN Controlled Posture

Temporal Agent does not support VLAN-controlled posture for macOS.

PowerShell Shell (.sh)

5.1 > >_ SSH

Port 5985 Port 22

cURL 7.34 > cURL 7.34 >

Shell (.sh) Shell (.sh)

Which Posture Agent to choose

Which agent you need ?

Capability AnyConnect AC Stealth Temporal Agentless

Some agents must be

How agent checks endpoint armor?

Compliance Module - Offers the ability to assess an endpoint’s compliance.

OPSWAT - Cisco Compliance module is using OESIS framework from

Posture Updates – Include predefined chceks, rules, support charts and

In case of posture over VPN AC cannot be

Posture inside of the Guest-Flow facts:

▪ Only one check box needs to be enabled in portal settings,

Enable posture on the guest portal

Posture Agents – our choice

Agent based Contractors Temporal Agent Fallback

Posture Updates Posture Policies

ISE Posture Checks Anti-Malware

ISE Posture Policy

Functionality is based on two attributes:

PostureLastCompliantExpiry – attribute has a Unix Epoch format. Grace period starts if

Posture Conditions – Our requirements

Contractors External Data Source

cat ise-psc.log | grep -a ‘2022-10-23 12:52:.posture.runtime.PostureHandlerImpl.receiving request